Posts Tagged: Cyberbunker

Aug 16

Inside ‘The Attack That Almost Broke the Internet’

In March 2013, a coalition of spammers and spam-friendly hosting firms pooled their resources to launch what would become the largest distributed denial-of-service (DDoS) attack the Internet had ever witnessed. The assault briefly knocked offline the world’s largest anti-spam organization, and caused a great deal of collateral damage to innocent bystanders in the process. Here’s a never-before-seen look at how that attack unfolded, and a rare glimpse into the shadowy cybercrime forces that orchestrated it.

The following are excerpts taken verbatim from a series of Skype and IRC chat room logs generated by a group of “bullet-proof cybercrime hosts” — so called because they specialized in providing online hosting to a variety of clientele involved in spammy and scammy activities.

Facebook profile picture of Sven Olaf Kamphuis

Facebook profile picture of Sven Olaf Kamphuis

Gathered under the banner ‘STOPhaus,’ the group included a ragtag collection of hackers who got together on the 17th of March 2013 to launch what would quickly grow to a 300+Gigabits per second (Gbps) attack on, an anti-spam organization that they perceived as a clear and present danger to their spamming operations.

The attack –a stream of some 300 billion bits of data per second — was so large that it briefly knocked offline Cloudflare, a company that specializes in helping organizations stay online in the face of such assaults. Cloudflare dubbed it “The Attack that Almost Broke the Internet.

The campaign was allegedly organized by a Dutchman named Sven Olaf Kamphuis (pictured above). Kamphuis ran a company called CB3ROB, which in turn provided services for a Dutch company called “Cyberbunker,” so named because the organization was housed in a five-story NATO bunker and because it had advertised its services as a bulletproof hosting provider.

Kamphuis seemed to honestly believe his Cyberbunker was sovereign territory, even signing his emails “Prince of Cyberbunker Republic.” Arrested in Spain in April 2013 in connection with the attack on Spamhaus, Kamphuis was later extradited to The Netherlands to stand trial. He has publicly denied being part of the attacks and his trial is ongoing.

According to investigators, Kamphuis began coordinating the attack on Spamhaus after the anti-spam outfit added to its blacklist several of Cyberbunker’s Internet address ranges. The following logs, obtained by one of the parties to the week-long offensive, showcases the planning and executing of the DDoS attack, including digital assaults on a number of major Internet exchanges. The record also exposes the identities and roles of each of the participants in the attack.

The logs below are excerpts from a much longer conversation. The entire, unedited chat logs are available here. The logs are periodically broken up by text in italics, which includes additional context about each snippet of conversation. Also please note that the logs below may contain speech that some find offensive. Continue reading →

May 13

Conversations with a Bulletproof Hoster

Criminal commerce on the Internet would mostly grind to a halt were it not for the protection offered by so-called “bulletproof hosting” providers — the online equivalent of offshore havens where shady dealings go ignored. Last month I had an opportunity to interview a provider of bulletproof services for one of the Web’s most notorious cybercrime forums, and who appears to have been at least partly responsible for launching what’s been called the largest cyber attack the Internet has ever seen.'s intro to Darkode’s intro post to Darkode

Earlier this year, the closely-guarded English-language crime forum was compromised and came under a series of heavy distributed denial-of-service (DDoS) attacks aimed at keeping it offline. Around that same time, welcomed a new member — a bulletproof hosting broker aptly named “” — who promised to defend the site from future DDoS attacks. also said he could offer more robust and crime-friendly hosting services than darkode’s previous provider — Santrex, literally an offshore hosting facility located in the Seychelles, a 115-island country that spans an archipelago in the Indian Ocean.’s timing was perfect: Darkode desperately needed both, and seemed to know his stuff, so he was admitted to the forum and given stewardship of the site’s defense and hosting. recruits Stophaus members on darkode. recruits Stophaus members on darkode.


Of course, to successfully defend a network against DDoS attacks one must know a great deal about how to launch such assaults. Indeed, was an integral member of Stophaus, an upstart group of bulletproof hosters that banded together in March to launch a massive Internet attack against anti-spam group

Hundreds of ISPs route or deny traffic based in part on Spamhaus’s blacklists of known, cybercrime-friendly ISPs, and Stophaus formed in response to Spamhaus’s listing of bulletproof hosting provider in particular: A network known alternatively as CB3ROB, a.k.a. “Cyberbunker” because it operated from a heavily fortified NATO bunker in The Netherlands. is moderator of the Stophaus forum, and not long after joining, he was recruiting fellow darkode members for the Stophaus cause. Stophaus’s records show that another core member was “0ptik,” a competing bulletproof hosting provider. Spamhaus had listed dozens of Optik’s domains, as well as virtually all of the IP address ranges had rented at abuse-friendly Romanian hosting provider Voxility. It was payback time.

In late March, Spamhaus became the target of what experts called one of the largest computer attacks on the Internet. The method of attack — a DNS amplification attack — was similar to that first seen used in attacks more than a decade ago that targeted the heart of the Internet’s routing system, except that it was by most accounts much larger. calls Spamhaus assault "our prank." calls Spamhaus assault “our prank.”

“DNS amplification attacks can bring up to 140 Gbps to a single resource from a single controller,” wrote in a posting less than 24 hours after the attack on Spamhaus began. “The beauty of it [is] that the ‘bots’ are just open DNS resolvers in the world.” Linking to a writeup from about the attack, stated that “Some BP hosters were lately united, check out our latest prank.”

Last month, authorities in Spain arrested Sven Kamphuis, a 35-year-old Dutch man, thought to be responsible for coordinating the unprecedented attack on Spamhaus. According to Spamhaus, Kamphuis made claims about being his own independent country in the Republic of Cyberbunker. But according to, Kamphuis was just the public face of the movement. “Sven didn’t attack anyone,” wrote in an online chat with KrebsOnSecurity.

If Kamphuis was just a mouthpiece, who was responsible for the attack? What is interesting about the Stophaus movement is that very well may have prompted Spamhaus to finally place CB3ROB/Cyberbunker at the top of its World’s Worst Spam-Support ISPs list, a move that helped to precipitate this conflict.

According to Spamhaus, while Cyberbunker and Spamhaus certainly have a bit of a history together, Cyberbunker wasn’t really a focus of Spamhaus’s blocking efforts until the fall of 2012. That’s when Spamhaus began noticing a large number of malware and botnet control servers being stood up inside of Cyberbunker’s Internet address ranges.

“We didn’t really notice these guys at CB3ROB much until last fall, when they started hosting botnet controllers, malware droppers and a lot of pharma spam stuff,” said a Spamhaus member who would only give his name as “Barry.” “Before that, it was mainly routing for some Chinese guys — Vincent Chan — fake Chinese products.” sells BP hosting out of Cyberbunker selling BP hosting out of Cyberbunker

Oddly enough, this coincides with’s entrance on the bulletproof hosting scene (at least as advertised on crime forums). In his introduction post to Darkode,  referenced his bulletproof hosting sales threads at two Russian-language forums — and In these threads, which began in Sept. 2012, advertised the ability to host ZeuS and SpyEye botnet command and control networks for between $99 and $199 per month, and bulletproof domain registration from $30 per month. More importantly, proudly announced that he was offering a premiere BP hosting service for $400 a month that was housed in an old NATO bunker in Holland and that used IP addresses assigned to CB3ROB (see screenshot to left).

Continue reading →

Apr 13

Dutchman Arrested in Spamhaus DDoS

A 35-year-old Dutchman thought to be responsible for launching what’s been called “the largest publicly announced online attack in the history of the Internet” was arrested in Barcelona on Thursday by Spanish authorities. The man, identified by Dutch prosecutors only as “SK,” was being held after a European warrant was issued for his arrest in connection with a series of massive online attacks last month against Spamhaus, an anti-spam organization.

Facebook profile picture of Sven Olaf Kamphuis

Facebook profile picture of Sven Olaf Kamphuis

According to a press release issued by the Public Prosecutor Service in The Netherlands, the National Prosecutor in Barcelona ordered SK’s arrest and the seizure of computers and mobile phones from the accused’s residence there. The arrest is being billed as a collaboration of a unit called Eurojust, the European Union’s Judicial Cooperation Unit.

The dispute began late last year, when Spamhaus added to its blacklist several Internet address ranges in the Netherlands. Those addresses belong to a Dutch company called “Cyberbunker,” so named because the organization is housed in a five-story NATO bunker, and has advertised its services as a bulletproof hosting provider.

“A year ago, we started seeing pharma and botnet controllers at Cyberbunker’s address ranges, so we started to list them,” said a Spamhaus member who asked to remain anonymous. “”We got a rude reply back, and he made claims about being his own independent country in the Republic of Cyberbunker, and said he was not bound by any laws and whatnot. He also would sign his emails ‘Prince of Cyberbunker Republic.” On Facebook, he even claimed that he had diplomatic immunity.”

Cyberbunker's IP ranges. Its  WHOIS records put the organization in Antarctica.

Cyberbunker’s IP ranges. Its WHOIS records put the organization in Antarctica.

Spamhaus took its complaint to the upstream Internet providers that connected Cyberbunker to the larger Internet. According to Spamhaus, those providers one by one severed their connections with Cyberbunker’s Internet addresses. Just hours after the last ISP dropped Cyberbunker, Spamhaus found itself the target of an enormous amount of attack traffic designed to knock its operations offline.

It is not clear who SK is, but according to multiple sources, the man identified as SK is likely one Sven Olaf Kamphuis. The attack on Spamhaus was the subject of a New York Times article on Mar. 26, 2013, which quoted Mr. Kamphuis as a representative of Cyberbunker and saying, “We are aware that this is one of the largest DDoS attacks the world had publicly seen.” Kamphuis also reportedly told The Times that Cyberbunker was retaliating against Spamhaus for “abusing their influence.”

Also, a Facebook profile by that same name identifies its account holder as living in Barcelona and a native of Amsterdam, as well as affiliated with “Republic Cyberbunker.”

Mr. Kamphuis could not be immediately reached for comment.